Splunk® Supported Add-ons

Splunk Add-on for Microsoft SQL Server

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure DB Connect v1 inputs for the Splunk Add-on for Microsoft SQL Server

To gather Trace log logs, audit logs, and data from Dynamic Management Views, the Splunk Add-on for Microsoft SQL Server leverages Splunk DB Connect. Follow the instructions that correspond to the version of DB Connect that you have installed. This topic presents the instructions for DB Connect Version 1.1.6, 1.1.7, or 1.2.X.

Note: If you are using DB Connect version 2.x, see "Configure DB Connect v2 inputs for the Splunk Add-on for Microsoft SQL Server."

Configure Dynamic Management View data collection

Configure data collection from your Microsoft SQL Server Dynamic Management Views using Splunk DB Connect.

1. Following the directions in the Splunk DB Connect documentation, create a database connection called sqlserver_default_connection. All stanzas for Splunk DB Connect monitoring contain the name of this database connection. Create it before proceeding with any DB Connect input configurations for this add-on. If you use a database connection name other than sqlserver_default_connection, replace all instances of the string sqlserver_default_connection in %SPLUNK_HOME%\etc\apps\dbx\local\inputs.conf with the name you select instead.

Note: Specific permissions are required.

  • The user that you use to configure the connection must have SELECT permission on objects and VIEW SERVER STATE or VIEW DATABASE STATE permissions. See http://msdn.microsoft.com/en-us/library/ms188754.aspx for more information about the required permissions.
  • If you want to create audits via DB Connect, ensure that the user has ALTER ANY DATABASE AUDIT permission and CONTROL SERVER, ALTER ANY DATABASE AUDIT permissions, or is the sysadmin account. For additional information, see http://msdn.microsoft.com/en-us/library/cc280424.aspx. If you want to create audits via DB Connect, uncheck the Read Only option and connect to the master database.

2. In %SPLUNK_HOME%\etc\apps\dbx\local\inputs.conf replace "disabled = 1" with "disabled = 0" for all the monitoring tasks you wish to enable.

For more details about each Dynamic Management View event, refer to the "Data from Dynamic Management View" section of the source types reference page.

Configure trace and audit log collection

Trace logs and audit events are in binary format, so the add-on collects them via Splunk DB Connect. DB connect uses the SQL function fn_trace_gettable to parse the trace log content and the SQL function sys.fn_get_audit_file to parse the audit event content.

Configure the collection of these logs in your %SPLUNK_HOME%\etc\apps\dbx\local\inputs.conf.

1. Change the path of the SQL Server trace log file position in stanza [dbmon-tail://sqlserver_default_connection/mssql_profilerlog].

2. Change the path of audit log file path in the stanza [dbmon-tail://sqlserver_default_connection/mssql_audit].

3. Restart your Splunk platform instance for the changes to take effect.

Adjust your auto KV extraction settings

Some source types, such as mssql:execution:dm_exec_query_stats retrieve fields with multiple lines. To ensure that your fields show the full values that you expect, adjust your KV extraction settings.

  1. Open %SPLUNK_HOME%\etc\system\local\limits.conf.
  2. Add or change this stanza:
[kv]
maxchars = 20480
Last modified on 01 April, 2016
 

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters